Spam zombie PCs coming back to life

Computers that are part of the Srizbi botnet - which by some estimates sent nearly half of the world's spam - are apparently becoming active again.

Spammers regain Srizbi botnet control

By
Jeremy Kirk
| 27 Nov 2008

The zombie computers used to send spam are coming back to life.

Security vendors say spammers are reconnecting with hacked PCs used for sending spam as evidenced by a rising number of spam messages circulating on the Internet the last few days. Spam levels suddenly dropped two weeks ago after the shutdown of McColo, a rogue ISP (Internet Service Provider) based in San Jose, California, whose connectivity was used to control networks of hundreds of thousands of computers to send spam, known as botnets.

Computers that are part of the Srizbi botnet - which by some estimates sent nearly half of the world's spam - are apparently becoming active again, according to researchers from FireEye.

"Srizbi has returned from the dead and has begun updating all its bots with a fresh, new binary," according to a blog post on Tuesday by Atif Mushtaq and Alex Lanstein of FireEye. "The worldwide update began just a few hours ago."

Srizbi's computers were controlled by spammers through McColo's network. When McColo was shut down, those computers tried to call back and get new instructions to send spam. But the botnet operators are clever and created a way to get those machines back if they were stranded.

FireEye researchers essentially did an autopsy on Srizbi's code. They found that the hackers put in an algorithm that dynamically generates a domain name from which a compromised computer could fetch new instructions.

The hackers could then register that domain name and put instructions there to tell the compromised PC to go to a different command-and-control server - not McColo's - for new instructions.

Since FireEye figured out how the algorithm worked, the company registered the gibberish domain names, such as "auaopagr.com," that algorithm generated. When those machines reported for duty, there were no instructions. But FireEye couldn't keep pre-empting the spammers forever by buying domain names.

Now the compromised computers are connecting to domain names registered by the spammers and getting updated code, including templates for new spam campaigns. The new command-and-control servers are in Estonia and the domain names are being bought from a registrar in Russia, FireEye said.

Srizbi at one time amounted to more than 450,000 PCs, and it remains to be seen how many of those machines have updated code. But three other botnets that were controlled via McColo - Rustock, Cutwail and Asprox - all appear to also be coming back online.

Dmitry Samosseiko of computer security vendor Sophos wrote on Wednesday that spam levels suddenly surged earlier this week, due in part to the resurgence of the Rustock botnet.

McColo's connectivity was briefly restored by mistake by TeliaSonora, and the precious few hours online allowed spammers to tell computers infected with Rustock where to go for new instructions.

Antispam vendor MessagLabs, which was recently acquired by Symantec, hasn't noted a rise in spam associated with Srizbi, said Paul Wood, senior analyst based in their UK offices.

Wood said MessageLabs analyzes spam that ends up in the inboxes of its 8 million users and it may be that Srizbi is either not up to speed yet or changed how it targets people.

But MessageLabs has noticed an uptick in spam coming from Rustock, Cutwail and Asprox, which would indicate those botnets are picking up Srizbi's slack.

"Like any sort of business if your courier goes down or goes on strike, you find an alternative provider," Wood said.

Still, spam levels are around 40 percent of what they were before McColo went down, Wood said.